We kicked off 2021 with the Florida water plant breach1 and Molson Coors2 operational attack, proving once again that all industries are at risk for operational disruption when it comes to operational security. . Anyone who believes they have their internet of things (IoT) and operational technology (OT) security risk are under control is a threat actor’s dream come true. IoT and OT environments pose a much higher risk than IT when it comes to protecting the environment and public safety. It shouldn’t take another attack on a water treatment plant or a food and beverage company before security and risk leaders adopt a continuous improvement mindset to cybersecurity risk in their digital transformation efforts. Over the few weeks, we will take a journey on managing IoT and OT security risk.
Most security and risk leaders have awareness. But, the journey can feel overwhelming at times.
We will start with the beginning of the technology journey, asset discovery. You can’t protect, what you can’t see, making asset discovery a fundamental imperative.
Asset discovery and management is the foundation of good IoT and OT security. Asset management functionality is crucial to forming a trusted IoT network for organizations, but currently, it’s not commonly overlooked.
Asset discovery capabilities enable organizations to detect IoT devices in networks when these devices are part of proprietary or non-IT-standard engineering networks, or if they are not continuously connected. Building an effective IoT asset database complete with attributes and entitlements for access by those devices is a major requirement of identity and access management.
We sat down with Mark Carrigan, the chief operating officer of PAS Global LLC (PAS is part of Hexagon AB), who shared that asset discovery means “discovering level zero to two devices.” He went on to explain that this means knowing the “hardware, software and firmware, manufacturing model and versions and serial numbers” to achieve true asset discovery. All these elements are vital to developing solid asset discovery. For example he said, “just knowing it’s a Rockwell PLC isn’t enough,” Mark concludes.
There is also a lack of security controls for new OT, and the IoT has been brought about in part by OEM’s lack of standards, customizations, and protocols. Thanks to an increasing number of security vendors offering asset discovery and network topology mapping platforms, the next step often involves a proof of concept (POC) effort, with one or more solutions. However, this requires a tight partnership with functional asset owners, IT, and the vendor.
- Engage with vendors that offer technical support and help with professional services during POC trials to mitigate risk and ensure a smooth alternative analysis.
- Account for asset discovery management by conducting a physical inventory and reconciling it to assets identified in your POC.